A path traversal vulnerability affecting the Windows version of WinRAR

CVE-2025-8088 is a Windows-only WinRAR path traversal bug that abuses NTFS Alternate Data Streams during archive extraction. A crafted archive can make vulnerable WinRAR components write files outside the folder the user chose, including persistence-friendly locations like Startup, %TEMP%, or user-writable app paths. Affected software includes WinRAR for Windows, Windows RAR/UnRAR, UnRAR.dll, and portable Windows UnRAR builds before 7.13; Linux/Unix builds and RAR for Android are not affected.

The vendor/NVD HIGH label is directionally right, but the raw 8.8 overstates broad enterprise urgency because this is not an internet-reachable service bug. It needs delivery, a victim using WinRAR on Windows, and user interaction to open/extract the archive. What keeps it firmly HIGH instead of a downgrade to MEDIUM is the ugly combination of KEV status, confirmed in-the-wild abuse, low exploit complexity once the archive lands, and a clean path to persistence and code execution under the victim context.

Why this verdict

• Starts at 8.8, then loses points on reachability: this is not an unauthenticated service exploit; it is a user-assisted client-side archive bug.
• Attacker position implies an earlier stage compromise or successful social engineering: the attacker needs delivery into the enterprise and a user action to open/extract with the affected tool.
• Exposure population is narrower than CVSS assumes: only Windows hosts with vulnerable WinRAR-family components are in play, not every exposed enterprise edge system.
• Modern controls should break the chain before impact: email security, attachment detonation, EDR, and application control all have credible interception points.
• But KEV plus live campaigns pull it back up hard: ESET observed real exploitation and CISA KEV confirms this is not hypothetical lab-only risk.
• Blast radius is typically user-context first, not instant domain-wide compromise: still serious, but not the same operational category as a pre-auth edge RCE on a server fleet.

Why not higher?

This is not an internet-facing, wormable, pre-auth server bug. It needs a delivered archive, a vulnerable Windows endpoint with WinRAR-family tooling, and user interaction to trigger extraction; those are compounding frictions that materially shrink reachable population. Even after successful exploitation, the initial blast radius is usually the victim context, not immediate enterprise-wide control.

Why not lower?

KEV status means the exploitation debate is over. Real operators have already used this bug in targeted campaigns, and the exploit path is practical: write outside extraction, land in Startup or another runnable path, and convert a normal user action into persistent malware execution. For enterprise defenders, that is too operationally proven to score as MEDIUM.

1. Block RAR intake from untrusted channels — At mail gateways, web proxies, and collaboration platforms, quarantine or detonate inbound .rar archives from the internet and external senders. Because this CVE is KEV-listed / actively exploited, deploy this compensating control immediately, within hours if patching cannot complete first.
2. Hunt for vulnerable WinRAR installs — Use software inventory, SCCM/Intune, EDR, or package inventory to identify WinRAR.exe, rar.exe, and UnRAR.dll versions before 7.13. Prioritize endpoints used for HR, finance, executives, and admin workflows where archive lures are more likely; with active exploitation evidence, complete this triage immediately, within hours.
3. Alert on archive utilities writing to autoruns — Create EDR detections for WinRAR.exe or rar.exe writing executables, LNKs, BATs, or DLLs to Startup, %AppData%, %ProgramData%, or unexpected temp-to-autostart paths. This does not replace patching, but it can catch the exploit at the file-write stage; deploy immediately, within hours.
4. Restrict execution from user-writable paths — Use WDAC/AppLocker/SRP or equivalent to block execution from %TEMP%, %APPDATA%, downloads, and Startup-adjacent user-writable locations where these payloads commonly land. This is especially valuable if you cannot patch every endpoint at once; implement immediately, within hours.
5. Strip WinRAR from low-need endpoints — If a user group does not need WinRAR, uninstall it or replace it with a managed, approved archiver that your organization can update centrally. For environments with slow patch governance, reducing installed base is the cleanest exposure reduction; start immediately, within hours for high-risk users.

Run this on the target Windows host or through your EDR/management agent. Example: powershell -ExecutionPolicy Bypass -File .\check-winrar-cve-2025-8088.ps1; standard user rights are usually enough for file version checks, but local admin improves registry and multi-path coverage.

# check-winrar-cve-2025-8088.ps1

# Detects likely exposure to CVE-2025-8088 on Windows hosts.

# Checks WinRAR.exe / rar.exe / UnRAR.dll versions where commonly installed.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'
$patchedVersion = [version]'7.13.0.0'
$found = @()

function Add-FoundFile {
    param(
        [string]$Path
    )
    if (Test-Path -LiteralPath $Path) {
        try {
            $item = Get-Item -LiteralPath $Path
            $verString = $item.VersionInfo.FileVersion
            if (-not [string]::IsNullOrWhiteSpace($verString)) {
                $clean = ($verString -replace '[^0-9\.]', '')
                $ver = [version]$clean
                $script:found += [pscustomobject]@{
                    Path = $Path
                    Version = $ver
                    RawVersion = $verString
                }
            }
        } catch {
        }
    }
}

# Common install paths

$paths = @(
    "$env:ProgramFiles\WinRAR\WinRAR.exe",
    "$env:ProgramFiles\WinRAR\Rar.exe",
    "$env:ProgramFiles\WinRAR\UnRAR.dll",
    "$env:ProgramFiles(x86)\WinRAR\WinRAR.exe",
    "$env:ProgramFiles(x86)\WinRAR\Rar.exe",
    "$env:ProgramFiles(x86)\WinRAR\UnRAR.dll"
)

foreach ($p in $paths) { Add-FoundFile -Path $p }

# Registry uninstall keys

$uninstallRoots = @(
    'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
    'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*',
    'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*'
)

foreach ($root in $uninstallRoots) {
    try {
        Get-ItemProperty $root | Where-Object {
            $_.DisplayName -match 'WinRAR'
        } | ForEach-Object {
            if ($_.InstallLocation) {
                Add-FoundFile -Path (Join-Path $_.InstallLocation 'WinRAR.exe')
                Add-FoundFile -Path (Join-Path $_.InstallLocation 'Rar.exe')
                Add-FoundFile -Path (Join-Path $_.InstallLocation 'UnRAR.dll')
            }
        }
    } catch {
    }
}

# Deduplicate by path

$found = $found | Sort-Object Path -Unique

if (-not $found -or $found.Count -eq 0) {
    Write-Output 'UNKNOWN: WinRAR/UnRAR components not found in common locations.'
    Write-Output 'UNKNOWN'
    exit 2
}

$vuln = $false
foreach ($f in $found) {
    Write-Output ("Found: {0} | Version: {1}" -f $f.Path, $f.RawVersion)
    if ($f.Version -lt $patchedVersion) {
        $vuln = $true
    }
}

if ($vuln) {
    Write-Output 'VULNERABLE: One or more WinRAR/UnRAR components are older than 7.13.'
    Write-Output 'VULNERABLE'
    exit 1
} else {
    Write-Output 'PATCHED: Detected WinRAR/UnRAR components are 7.13 or newer.'
    Write-Output 'PATCHED'
    exit 0
}

Sources

1. NVD CVE-2025-8088
2. WinRAR 7.13 final release notes
3. CISA Known Exploited Vulnerabilities catalog entry
4. ESET press release on RomCom exploitation
5. WeLiveSecurity technical write-up
6. Wiz vulnerability page with EPSS mirror
7. Public PoC repository
8. Detection content repository